CyberEye

Can feds give cybersecurity the attention it deserves?

The insider threat to agency data, whether from people actively trying to steal it or from those who witlessly allow others to access it, is hardly a new issue. But it seems to be one that still causes more headaches than perhaps it should.

A Symantec-sponsored report found that just under half of the federal IT managers surveyed said their agency had been the target of an insider incident over a 12-month period. One in three said they had lost data to such an incident.

Sound familiar? The potential damage caused by malicious threats from insiders was certainly noted after the Wikileaks incident and hammered home by the Snowden affair. More recent breaches at the Office of Personnel Management and at the Pentagon were blamed, at least in part, on “bad cyber hygiene” by agency insiders.

Yet the report found that most agencies still don’t employ basic security measures. Well under half of them offer annual in-person security training to their employees or employ obvious technologies such as two-factor authentication or agencywide endpoint encryption. Plus, they can’t tell when documents have been shared or how.

According to Symantec Public Sector Unified Security Practice Manager Ken Durbin, that’s largely because of the many competing issues agency IT managers must juggle.

“They’re under a lot of pressure on a lot of different fronts and have a lot of mandates and guidance they have to balance,” he said. “It’s a constant struggle for them to figure out where to put their resources, and what [security] area they need to tackle first.”

The good news is that the survey found over 75 percent of agencies seem be more focused on the insider threat now than a year ago. Despite that, however, two-thirds also said it is common for employees and contractors to email documents to personal accounts, and over half said appropriate security protocols simply are not followed. Some 40 percent say unauthorized employees access government information they shouldn’t on at least a weekly basis.

It’s these kinds of behaviors that have caused agency executives increasingly violent conniptions, and some have started to threaten fairly draconian action if their workers don’t start getting their security act together. Defense Department CIO Terry Halvorsen, for example, has said he could throw people who don’t practice good cyber hygiene off DOD networks. More recently, the Department of Homeland Security’s chief information security officer has talked about revoking repeat offenders’ security clearances.

It’s not clear how far that approach would go with all agencies. Some would no doubt want to wield that kind of big stick, but others will prefer to dangle carrots in front of people. It’s unlikely there will be anything like consensus.

Meanwhile, agencies must do what they can. Down the road, effective help is heading their way in the form of the DHS Continuous Diagnostics and Mitigation program, which will seed all agencies with a capability to know in real time if there are any problems on their networks and what they can do about them. That has the added attraction of something that DHS will pay for but, as Durbin also pointed out, it’s being rolled out much more slowly than many would like.

So, what to do in the meantime?

“Access control makes a lot of sense, limiting the kind of access that could otherwise be taken advantage of,” Durbin said. “Two-factor authentication gives a higher confidence that someone is who they say they are, and limiting escalated privileges means that, if someone is comprised, attackers can’t get access to (vital) network privileges.”

Even with all of that, he admits, it’s still a porous border. A better balanced scenario would be for agencies to put at least some of this in place, but also focus on their most sensitive data and put the strongest protections around that.

However, that requires agencies in the first place knowing what data they have and where it is. Which is the subject for a whole other story.

Mission: Impossible, the DARPA way

The problem with putting data on a chip for security sensitive organizations like the DOD is that the data is persistent, and if equipment containing the chips is captured, so is the information they contain. So the Defense Advanced Research Projects Agency, perhaps having watched old TV shows or recent Tom Cruise movies, is trying the destructive approach.

Following a contract with IBM to create self-destructing chips that use strained glass substrates, it recently demoed a working version of such a chip. It uses a circuit that, when triggered, causes a resistor to heat the chip and shatter.

At least in battlefield situations, spinning disk drives will soon be a thing of the past, with more robust solid state drives — chip-based memory — taking their place. That’s their advantage, but also their problem, one the DARPA program aims to solve.

It may take a few seconds longer for these chips to self-destruct than the MI devices required, however. And DARPA’s not saying if said destruction will be accompanied by those cool clouds of smoke that Jim Phelps had to endure.

Democrats will vote on an appropriations package to reopen all the federal agencies shuttered during the partial shutdown, but the lack of wall funding will likely means the measure won't get a vote in the Senate.